Opam publish and GH authentification

Learning
1

Is the recent switch of github two-factor authentification impacted the way opam publish operates ?

I’ve recently switched to 2FA for GH and when trying to publish a package with opam publish, i get

$ opam publish

The following will be published:
  - rfsm version 2.0 with opam file at /Users/jserot/Dev/ml/rfsm/rfsm.opam
    archive at https://github.com/jserot/rfsm/archive/refs/tags/2.0.tar.gz


You will be shown the patch before submitting.
Please confirm the above data. Continue ?  [Y/n] Y
Cloning the package repository, this may take a while...
+ /usr/local/bin/git "clone" "git@github.com:ocaml/opam-repository.git" "/Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository"
- Cloning into '/Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository'...
- @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
- @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
- Someone could be eavesdropping on you right now (man-in-the-middle attack)!
- It is also possible that a host key has just been changed.
- The fingerprint for the RSA key sent by the remote host is
- SHA256:uNiVztksCsDhcc0u9e8B.................................
- Please contact your system administrator.
- Add correct host key in /Users/jserot/.ssh/known_hosts to get rid of this message.
- Offending RSA key in /Users/jserot/.ssh/known_hosts:30
- Host key for github.com has changed and you have requested strict checking.
- Host key verification failed.
- fatal: Could not read from remote repository.
- 
- Please make sure you have the correct access rights
- and the repository exists.
[ERROR] Uncaught exception: "/usr/local/bin/git clone git@github.com:ocaml/opam-repository.git
        /Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository" exited with code 128

Do i have to update the abovementioned known_hosts file ? I thought 2FA had rended this auth method obsolete (but must admit i’m a bit confused by all these changes in authorisation protocols :confused: )

2

Indeed you have to update your known_hosts file – see the background at We updated our RSA SSH host key - The GitHub Blog (GitHub updated their SSH key and don’t have appropriate rollover procedures (such as DNS SSHFP) in place).

3

Ok. Thanks for the tip !

4

To answer this particular bit, they serve different purposes:

  • 2FA and your ssh key authenticate you to github (so that github knows who you are)
  • known_hosts authenticate github to you (so that you know you’re connecting to github)
5

Hum. I’ve followed the instructions given in the GH blog (i.e. updated the known-hosts file) but now gets the following error:

$ opam publish

The following will be published:
  - rfsm version 2.0 with opam file at /Users/jserot/Dev/ml/rfsm/rfsm.opam
    archive at https://github.com/jserot/rfsm/archive/refs/tags/2.0.tar.gz


You will be shown the patch before submitting.
Please confirm the above data. Continue ?  [Y/n] Y
Cloning the package repository, this may take a while...
+ /usr/local/bin/git "clone" "git@github.com:ocaml/opam-repository.git" "/Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository"
- Cloning into '/Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository'...
- git@github.com: Permission denied (publickey).
- fatal: Could not read from remote repository.
- 
- Please make sure you have the correct access rights
- and the repository exists.

Am i still missing sth ?

6

Is your ssh key added to your account? You can check that with ssh git@github.com.

7

I realy don’t know

$ ssh git@github.com
git@github.com: Permission denied (publickey).
8

It means that the ssh key you’re using has not been set up in your github account.

9

Ah yes. My SSH key has been deleted on my GH account because unused for more than one year…
Had to re-renter it.
Thanks for pointing me to this !